Microsoft has taken the unusual step of issuing a statement to deny what it claims to be misleading reports about a recent ransomware campaign.
Stories emerged earlier this month that a number of organizations in Spain had been infected with the DoppelPaymer ransomware, with some rumors claiming links to Microsoft’s Teams platform and the infamous Bluekeep vulnerability.
However, a statement penned yesterday by senior security program managers at the Microsoft Security Response Center (MSRC), Dan West and Mary Jensen, poured cold water on the rumors.
“There is misleading information circulating about Microsoft Teams, along with references to RDP (BlueKeep), as ways in which this malware spreads,” they noted.
“Our security research teams have investigated and found no evidence to support these claims. In our investigations we found that the malware relies on remote human operators using existing Domain Admin credentials to spread across an enterprise network.”
The duo claimed that one of the most common ways to spread ransomware continues to be social engineering, where employees are lured into clicking on a phishing email or opening a malicious attachment.
“Security administrators should view this threat as additional motivation to enforce good credential hygiene, least privilege, and network segmentation,” they concluded.
“These best practices can help prevent DopplePaymer operators and other attackers from disabling security tools and using privileged credentials to destroy or steal data or hold it for ransom.”
The attacks in question happened in early November, affecting IT services company Everis and radio company Sociedad Española de Radiodifusión (Cadena SER), although others including Spanish airport operator Aena are said to have taken some services down as a precaution.
Global ransomware attacks soared by over 74% year-on-year in the first half of 2019, according to Bitdefender.
Although there have been reports of attackers trying to use the wormable Bluekeep vulnerability to disseminate crypto-mining malware, there have been no such confirmed efforts to spread ransomware thus far.